Primary

Context

Django Timing Attack Vulnerability in mod_wsgi Authentication Handler Allows User Enumeration

Vulnerability

Patched

A vulnerability exists in Django versions 6.0 prior to 6.0.2, 5.2 prior to 5.2.11, and 4.2 prior to 4.2.28. The issue arises in the 'django.contrib.auth.handlers.modwsgi.check_password()' function, which is used for authentication via mod_wsgi. This vulnerability allows remote attackers to enumerate users by exploiting a timing attack. While earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated, they may also be affected.

Impact

Exploitation of this vulnerability could lead to user enumeration, allowing attackers to identify valid usernames.

Remediation

Users can upgrade to Django versions 6.0.2, 5.2.11, or 4.2.28 to address this vulnerability.

Added: Feb 3, 2026, 3:46 PM

Updated: Feb 3, 2026, 5:21 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

7.2

remediation

7.7

relevance

2.6

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

7.2

remediation

7.7

relevance

2.6

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Django Timing Attack Vulnerability in mod_wsgi Authentication Handler Allows User Enumeration

Vulnerability

Impact

Remediation

Affected Products

Django

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating